We did a project for a customer to upgrade and reconfigure the network enviroment. A colleague did made a new design based on SD-WAN.
To complete this job we did choose to use Cisco Meraki products. We did choose for the next products:
– MX (firewalls)
– MS (switches)
– MR (wireless)
One of the main requirements was that it must be dynamic environment. New location(s) must do automatic advertising to the firewall. We choose to use BGP for dynamic routing.
The is the deign how the looks:
Cisco Meraki MX firewall use BGP for the AutoVPN and for advertisement between de MX firewall and the next neighbor. In our case it was a firewall.
For the AutoVPN Meraki uses iBGP(Interior BGP) and for the advertisement between the MX and firewall Meraki uses eBGP (External BGP).
The MX firewall what is used for eBGP must run in One-Armed Concentrator mode. If this is not and you have no BGP option.
By default BGP is disabled and Meraki Support must enable it. Just open a case or call them and they will do that.
How to config the MX:
The first thing we did to do is set the MX in a One-Armed Concentrator mode.
Click on the network where the MX is located and then Security & SD-WAN > Configure > Addressing & VLANs.
The second step is to set the MX to Passtrough or VPN Concentrator mode. The third step is to save this config by clicking on the save button.
The fourth step step is to enable the VPN configuration and choose for the hub mode.
The fifth step to to enable the BGP Settings. Scroll down to the BGP Settings. Enable it and put the AS number for the auto-vpn domain.
Add the neighbor and the AS number of that neighbor and just click on save.
Then we need to add the MX as a neighbord at you router/switch/firewall what wil do the routing of you network.
After we did save the config and after a few seconds BGP will send a update then you will see that the BGP session will be established and that the MX will get the routing info from the sending device.
High Level example
This is high level from a random created new enviroment. We use a IP-VPN with BGP configuration and new Meraki design with auto-vpn with BGP. With this we make a new dynamic routing network so that we can add new location based on Meraki. If we add a new location the new network will automatic learn by the Core Firewall.
In this enviroment we did have a problem with advertising the remote network from the IP-VPN network to the Meraki MX. The problem was that the Meraki MX did also learned the routes from the IP-VPN network. In this new design it was not required that this happend. So the Meraki must only learn his own network and ranges of the Datacenter where the servers are.
What did we do to complete this.
First:
We did enter a Access control list on the Core Firewall. In this ACL we enter the network what must be advertised to the Meraki MX and the last line of that ACL was a deny.
Example:
First rule: access-list FILTER-TO-Meraki standard permit 10.1.2.0 255.255.255.0
Second rule: access-list FILTER-TO-Meraki standard permit 10.4.5.0 255.255.255.0
Third rule: access-list FILTER-TO-Meraki standard permit 172.20.2.055.255.255.0
Fourth rule: access-list FILTER-TO-Meraki standard permit 192.168.123.0 255.255.255.0
Firth rule: access-list FILTER-TO-Meraki standard deny any4
Second:
We did add this access-list as a distribute-list on the neighbor with the statement out. So now only the network what we did add in the ACL will be advertised to the Meraki MX.
Third:
We did check the route table on the Meraki MX and now we did see that only the networks that are in the ACL are learned by Meraki.
Fourth:
Add new location so that we can phasing out the old IP-VPN network.
To get more info about BGP and Cisco Meraki visit the site of Meraki.